Abstract: The present disclosure relates to systems and methods for in-transit protocol translation. Specifically, various approaches are described for translating protocols for intermediate networks in a way by which there is no need of support for encapsulation/decapsulation at the end hosts and does not require any changes to end hosts or transit networks. Various embodiments include intercepting traffic between one or more source client devices and a transit network; detecting a first communication protocol used by the one or more source client devices in the traffic; translating the traffic from the first communication protocol to a second communication protocol; and forwarding the traffic to the transit network using the second communication protocol.

Abstract: Systems and methods for directing and enforcing zero trust control on requests to destination services. In various embodiments, steps include receiving a request from a user to access a destination service; directing the request to a control layer; enforcing one or more controls, via the control layer, on the request based on a configuration provided by an owner of the destination service; and providing access to the destination service to the user based on the one or more controls.

Abstract: Systems and methods for intelligent application definition and protection. In various embodiments, steps include receiving a destination service definition from a customer; performing an assessment of the destination service to determine one or more policies to use for the destination service; responsive to receiving a request from a user to access the destination service, directing the request to a control layer, and enforcing one or more controls on the request based on the one or more policies; and providing access to the destination service to the user based on the one or more controls.

Abstract: Systems and methods for a zero trust architecture are provided. A method, according to one implementation, includes detecting an initial attempt by an entity to connect, access, or communicate with a network resource and blocking the entity from initially connecting, accessing, or communicating with the network resource. The method also includes performing a verification procedure to verify one or more of an identity of the entity and a context of the initial attempt. The method also performs a control procedure to control one or more of malicious content and sensitive data. In addition, the method includes performing an enforcement procedure in response to results of the verification procedure and control procedure to determine how to handle the initial attempt.

Abstract: Systems and methods for a zero trust mobile network-as-a-service include generating one or more virtualized mobile networks for one or more customers of a cloud service; receiving traffic from a Subscriber Identity Module (SIM) enabled device associated with a customer of the cloud service; steering the traffic through a virtualized mobile network based on the customer associated with the SIM enabled device; and applying zero trust policy to the traffic prior to the traffic exiting the virtualized mobile network.

Abstract: Systems and methods for cloud discovery and orchestration include retrieving a plurality of out-of-band inputs related to a cloud environment; retrieving a plurality of inline inputs related to the cloud environment; determining one or more correlations between one or more destinations, sources, and networks associated with the cloud environment based on the out-of-band inputs and the inline inputs; and determining one or more relationships between the one or more destinations, sources, and networks based on the correlations.

Abstract: Systems and methods for dynamic distributed name resolution. In various embodiments, steps include receiving a request from a user to access a destination service; resolving an Internet Protocol (IP) address for the destination service based on one or more characteristics of the request; enforcing one or more controls on the request based on a configuration provided by an owner of the destination service; and providing access to the destination service to the user based on the one or more controls.

Abstract: Systems and methods for active exposure and unwanted connection protection. In various embodiments, steps include receiving a request from a user to access a destination service; directing the request to a control layer; enforcing one or more controls, via the control layer, on the request based on a configuration provided by an owner of the destination service; and creating a connection from the destination service to the control layer based on the one or more controls, thereby providing access to the destination service without exposing the destination service to a direct connection.

Abstract: This invention provides methods and systems for seamless mobile connectivity between public and private cellular networks. The system dynamically switches user devices between networks based on location, radio signal availability, or preconfigured policies that prioritize private networks when within range. For devices with physical SIM cards, an embedded applet enables switching between operator profiles, while ESIM profiles deploy applets for selecting among multiple identities within a profile. All cellular traffic, whether on public or private networks, is routed through a cloud-based system for centralized security and policy enforcement. Network selection may be influenced by defining the private network as the Home Public Land Mobile Network (HPLMN) or scanning available networks via applet capabilities. The system supports unified subscription, connectivity, and service management via a cloud-based portal, ensuring reliability and security across diverse network environments.

Abstract: Disclosed is a method for implementing a Zero Trust Architecture (ZTA) to secure network resources by eliminating lateral threat movement and minimizing attack surfaces. A zero trust policy engine, positioned inline between user devices and network resources, receives and evaluates access requests by verifying user and device identities along with context information. Based on dynamic risk scores derived from these evaluations, the engine enforces least-privileged, identity-based access policies, selectively granting access exclusively to authorized resources. Connections are terminated and re-established through secure proxy techniques, with continuous inspection of traffic for threats and data loss. Adaptive security measures, including isolation through pixel-streaming and context-aware access adjustments, further enhance protection.

Abstract: The present invention provides systems and methods for cellular network performance monitoring and optimization, enabling SIM-based devices to dynamically adapt to changing network conditions for improved connectivity. The invention introduces a process that includes determining baseline path performance through detailed probing of network metrics, continuously assessing current path performance via real-time monitoring, and instructing the SIM to switch from its current connected mobile network carrier to an alternate carrier when predefined performance thresholds are not met. Switching instructions are securely delivered Over-The-Air (OTA) to the SIM, ensuring seamless transitions to the most efficient and reliable network path. The system leverages both active and passive application layer observations to optimize latency, throughput, and reliability while supporting diverse applications, including IoT devices, industrial systems, and consumer devices.

Abstract: The present disclosure relates to systems and methods for cloud-based 5G security network architectures intelligent steering, workload isolation, identity, and secure edge steering. Specifically, various approaches are described to integrate cloud-based security services into Multiaccess Edge Compute servers (MECs). That is, existing cloud-based security services are in line between a UE and the Internet. The present disclosure includes integrating the cloud-based security services and associated cloud-based system within service provider's MECs. In this manner, a cloud-based security service can be integrated with a service provider's 5G network or a 5G network privately operated by the customer. For example, nodes in a cloud-based system can be collocated within a service provider's network, to provide security functions to 5G users or connected by peering from the cloud-based security service into the 5G service provider's regional communications centers.

Abstract: The present disclosure relates to systems and methods for cloud-based 5G security network architectures intelligent steering, workload isolation, identity, and secure edge steering. Specifically, various approaches are described to integrate cloud-based security services into Multiaccess Edge Compute servers (MECs). That is, existing cloud-based security services are in line between a UE and the Internet. The present disclosure includes integrating the cloud-based security services and associated cloud-based system within service provider's MECs. In this manner, a cloud-based security service can be integrated with a service provider's 5G network or a 5G network privately operated by the customer. For example, nodes in a cloud-based system can be collocated within a service provider's network, to provide security functions to 5G users or connected by peering from the cloud-based security service into the 5G service provider's regional communications centers.

Abstract: Systems and methods are provided for controlling network access in a zero trust environment. A method, according to one implementation, includes the step of monitoring and controlling access between a user device and a network application using a zero trust policy engine having a Zero Trust Architecture (ZTA) in which no user, user device, or network application is inherently trusted. The method further includes the step of granting trust by allowing the user device to access the network application when identity and context information associated with a user of the user device is verified and when policy checks of the zero trust policy engine are enforced.

Abstract: Systems and methods for directing and enforcing zero trust control on requests to destination services. In various embodiments, steps include receiving a request from a user to access a destination service; directing the request to a control layer; enforcing one or more controls, via the control layer, on the request based on a configuration provided by an owner of the destination service; and providing access to the destination service to the user based on the one or more controls.

Abstract: Systems and methods for active exposure and unwanted connection protection. In various embodiments, steps include receiving a request from a user to access a destination service; directing the request to a control layer; enforcing one or more controls, via the control layer, on the request based on a configuration provided by an owner of the destination service; and creating a connection from the destination service to the control layer based on the one or more controls, thereby providing access to the destination service without exposing the destination service to a direct connection.

Abstract: Systems and methods for dynamic distributed name resolution. In various embodiments, steps include receiving a request from a user to access a destination service; resolving an Internet Protocol (IP) address for the destination service based on one or more characteristics of the request; enforcing one or more controls on the request based on a configuration provided by an owner of the destination service; and providing access to the destination service to the user based on the one or more controls.

Abstract: Systems and methods for intelligent application definition and protection. In various embodiments, steps include receiving a destination service definition from a customer; performing an assessment of the destination service to determine one or more policies to use for the destination service; responsive to receiving a request from a user to access the destination service, directing the request to a control layer, and enforcing one or more controls on the request based on the one or more policies; and providing access to the destination service to the user based on the one or more controls.

Abstract: Cloud-based 5G security, implemented in a Multi-Access Edge Compute (MEC) system, includes steps of receiving a request for compute resources from User Equipment (UE); validating a user of the UE for the compute resources; responsive to the user being authorized, creating a connection between the UE and a destination of the compute resources; responsive to the user being unauthorized, rendering the compute resources as hidden from the UE. The steps can include utilizing a cloud-based system for control and signaling the connection.

Abstract: The present disclosure relates to systems and methods for cloud-based 5G security network architectures intelligent steering, workload isolation, identity, and secure edge steering. Specifically, various approaches are described to integrate cloud-based security services into Multiaccess Edge Compute servers (MECs). That is, existing cloud-based security services are in line between a UE and the Internet. The present disclosure includes integrating the cloud-based security services and associated cloud-based system within service provider's MECs. In this manner, a cloud-based security service can be integrated with a service provider's 5G network or a 5G network privately operated by the customer. For example, nodes in a cloud-based system can be collocated within a service provider's network, to provide security functions to 5G users or connected by peering from the cloud-based security service into the 5G service provider's regional communications centers.